[BreachExchange] Protecting your crown jewels in today’s Information Age

Audrey McNeil audrey at riskbasedsecurity.com
Thu Dec 29 18:57:20 EST 2016


http://www.securityinfowatch.com/article/12289885/
protecting-your-crown-jewels-in-todays-information-age


We find ourselves in the midst of a digital revolution which continues to
grow rapidly. Both organizations and individuals have become fully immersed
in today’s “Information Age”. We are generating and consuming information
at an astounding rate, contributing to the information explosion and
leaving behind an extensive information footprint in digital, physical and
spoken formats. This trend is set to continue: global data volumes are
forecast to reach 44 zettabytes (44 trillion gigabytes) by 2020.

Today, valuable information is used to compete and succeed in a global
market; intangible information assets can represent 80 percent or more of
an organization’s total value. With that being said, organizations must
prioritize the protection of their mission-critical information assets.
These assets require clear ownership and heightened protection due to the
risks to which they are exposed.

Determining Your Mission-Critical Information Assets

For centuries, organizations have been acquiring, producing, leasing,
licensing and selling assets. Accounted for in financial statements, these
assets represent an organization’s wealth and financial stability. This
makes them vulnerable to theft and fraud. As a priority organizations
should focus on those assets that are of the highest value and risk –
commonly referred to by business leaders as the “crown jewels”.

Assets such as property, plant and equipment are tangible whereas
information is an intangible asset. There are two types of intangible
assets:

Legal – such as trade secrets, copyrights, and customer lists
Competitive – such as company culture, collaboration activities and
customer relationships

Both types are essential drivers of competitive advantage and shareholder
value today. It’s common to view the value or importance of information by
using a simple classification chart (e.g., negligible, low, moderate and
high); however, mission-critical information assets represent only the very
tip of the highest layer. Information of high business value or impact
could still register as “high” or “critical” but not necessarily be
designated as mission-critical. Traditional risk assessment approaches
would not identify this information separately, so mission-critical
information assets typically require a different approach to identification.

Recent Information Security Forum (ISF) research uncovered two main factors
that typically influence whether or not an information asset is classed as
a crown jewel:

Its value to the organization
The potential business impact if compromised

 At the ISF, we refer to information assets with a high value and business
impact rating as “mission-critical information assets”. Examples of
mission-critical information assets include details of:

 Information that supports overall business operations, e.g., board papers,
M&A or upcoming redundancy plans
Material relating to possible and planned future products and services,
e.g., formulas for new drugs, engineering specifications or upcoming
exploration locations
Information relating to promoting and selling an organization’s products
and services, e.g., noncompetition agreements, competitive analysis or an
upcoming marketing campaign.

 When identifying mission-critical information assets, organizations should
take into account the extent to which:

 The information asset contributes to, or supports, business value (e.g.,
business revenue; competitive advantage; operational effectiveness; and
legal, regulatory or contractual compliance)
The business could be impacted in the event of the confidentiality,
integrity or availability of the information asset being compromised,
considering any financial, operational, legal/ regulatory compliance,
reputational, or health and safety implications.

With Value Comes Significant Risk

 Business leaders often consider the value of mission-critical information
assets, but fail to recognize the extent to which these assets are exposed
to threats and the potential business impact should they be compromised.
These assets often attract the attention of highly motivated, capable and
well-funded adversarial threats, such as unscrupulous competitors, nation
states, and organized criminal groups. The extensive footprint of these
assets provides more opportunities for attackers to gain access.

There are four challenges commonly experienced by organizations in the
protection of mission-critical information assets, each of which can be
addressed by applying the ISF Protection Process, a structured and
systematic five-phase process for determining the approaches required to
deliver comprehensive, balanced and end-to-end protection. These challenges
include:

Many organizations have not identified all mission-critical information
assets.
Organizations often value mission-critical information assets but fail to
consider the type or level of risk to them.
An incomplete or inaccurate view of the factors influencing the real level
of risk to mission-critical information assets leaves gaps in protection.
Organizations typically rely on conventional approaches to deploying
security controls for mission-critical information assets, leaving them
vulnerable to attack.

Recent ISF research found that different types of mission-critical
information assets will often require innovative, advanced and sometimes
unique protection approaches, supported by a range of security controls.
Unfortunately, many organizations simply do not know what their
mission-critical information assets are, where these assets reside or who
is responsible for them. Few organizations have given focused attention to
defining their mission-critical information assets across the enterprise.
As a result, these assets are frequently incorrectly classified and poorly
managed.

The protection of mission-critical information assets requires the
involvement of different stakeholders throughout the organization. Business
leaders, information owners, legal experts, as well as IT and security
specialists are all required to play a role.

Threats to Mission-Critical Information Assets

Mission-critical information assets and associated footprints are exposed
to a broad range of threats that, collectively, can be described as a
threat landscape. The threat landscape comprises three common groups of
threats – adversarial, accidental and environmental – and some threats can
appear in multiple groups. For the purpose of this discussion, I’ll focus
on threats that are adversarial in nature.

 Adversarial threats are individuals or groups who are committed to
achieving a particular – often malicious – objective. Mission-critical
information assets often attract the attention of highly motivated, capable
and committed adversarial threats. These sophisticated and well-resourced
adversarial threats often have access to:

 Many highly skilled individuals
Extensive financial resources
Advanced or specialist technical capability
High capacity network bandwidth

There is no industry sector immune to adversarial threats. Adversarial
threats present a formidable and hostile environment within which
organizations operate, especially if different threats are combined. These
threats typically target mission-critical information assets using a
multitude of techniques and methods over an extended period of time,
including sophisticated cyber-attacks. Threat events are often initiated in
a particular sequence, forming a five-stage cyber-attack chain.

If highly motivated threats are not managed effectively, they will lead to
security incidents, including those caused by serious cyber-attacks,
potentially resulting in considerable and long-term business impact.

Conventional Protection Approaches Fall Short

Some organizations implement a compliance-based approach to protecting
particular information, which is unlikely to single out mission-critical
information assets for specialized protection. This can result in
significant gaps that remain undiscovered until a security incident occurs.

Other organizations apply a risk-based approach, although research
indicates that in many instances these efforts are not focused on the risks
specific to mission-critical information assets. Consequently, important
activities such as detailed analysis of the threats or accounting for the
complete footprint can be overlooked.

For many organizations, the skills shortage, combined with investment
constraints, inhibits their ability to build on existing approaches to
provide balanced and comprehensive protection. A common side effect is an
over-reliance on fundamental controls and a lack of enhanced and
specialized controls.

Go Above and Beyond Conventional Protection

Mission-critical information assets demand and justify the additional
investment to ensure these assets are adequately protected. However,
greater protection does not just mean performing additional security
activities or purchasing more security products. To protect
mission-critical information assets, including the footprint, a range of
different protection approaches are likely to be needed for different types
of mission-critical information asset. Information security practitioners
have to think and plan beyond existing protection capabilities and security
controls to provide owners of these information assets with protection that
is:

Balanced, providing a mixture of informative, preventative and detective
security controls that complement each other
Comprehensive, providing protection before, during and after threat events
materialize into security incidents
End-to-end, covering the complete information lifecycle.

This will enable organizations to match the protection provided with the
sophistication of threats to mission-critical information assets.
Organizations should also consider controls that are:

Automated, to complement manual security controls and help ensure greater
levels of protection can be maintained
Fast, operating in real time, supporting decisions that need to be made
immediately
Resilient, being resistant to direct attack by highly capable and committed
threats.

While the need to provide mission-critical information assets with
specialized protection can appear obvious, organizations often experience
difficulties in identifying these assets, evaluating the extent of their
exposure to adversarial threats and understanding the true level of risk to
the organization. Consequently, many organizations do not adequately
protect their mission-critical information assets and are vulnerable to a
range of attacks, including serious cyber-attacks.

In contrast, ISF research has revealed that some organizations demonstrated
“good practice”, providing the necessary high levels of protection for
mission-critical information assets. These ISF members invest time and
resources in a range of security activities, which form part of a broader
set of good practices in information risk management and information
security.

Risks are Considerably Miscalculated

Mission-critical information assets represent the majority of value for
organizations of all sizes. However, the risks these assets attract are
significantly underestimated and high profile breaches continue. I can’t
stress enough that organizations must act now to identify their
mission-critical information assets and ensure these assets receive
balanced and comprehensive protection. In summary:

Balanced

Deliver appropriate, additional layers of preventative and detective
security controls.
This will provide early warning of emerging or imminent threat events,
enabling a balanced set of end-to-end controls to counter the main
adversarial threats.

Comprehensive

Apply fundamental, enhanced and specialized controls throughout the
information life cycle.
This will reduce potential gaps in protection due to an extensive
footprint, supporting comprehensive and end-to-end protection.

Anything less leaves known risk in your organization.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161229/b413c101/attachment.html>


More information about the BreachExchange mailing list